Trojan.Agent.AVQ???

Hi,

I ran the virusscan the other day and it reported that the file C:\Windows\System32\OCLBOCL.DLL is infected with Trojan.Agent.AVQ and it was unable to disinfect it.

I can't delete the file, as it reports access denied. Have tried booting up in Safe mode with command prompt (Windows XP Home) to delete the file, but still get access denied.

I tried to remove the reference in the registry. But it was automatically put back in again!!

Any ideas of what Trojan.Agent.AVQ does and how I can get rid of it?

Many thanks

Find more posts tagged with

Comments

Niels

Hi Vince

I suggest that you try this. Reboot your pc and press several times on the F8 button before the windows loadscreen and choose for safe mode. After that go to start,run,at the run dialog box type cmd press enter. Then type the follow commands:

%SystemDrive% press on enter

cd %ProgramFiles%Common FilesSoftwinBitDefender Scan Server press on enter

Here are the commands what BitDefender must do with the infected files:

To disinfect the infected files type the command:

bdc /files /boot /arc /mail /log=bdcscan.log /fixed /dis

To quarantine the infected files type the command:

bdc /files /boot /arc /mail /log=bdcscan.log /fixed /move /moves

To delete the infected files type the command:

bdc /files /boot /arc /mail /log=bdcscan.log /fixed /del

You also have to press on enter.

I suggest that you also disable system restore by doing this: go to start,rightclick on my computer icon choose properties,system recovery,check disable system restore on all stations (drives) and confirm by pressing on apply and ok. Then uncheck it again don't forget to confirm again.

Regards

Niels

AndreiASM

Did you try to remove the registry refference in Safe Mode? You could also try to kill any process related to Trojan.Agent.AVQ, if you can find any.

Andrei

mihai_romanian

i'm not very experienced but try this:right click on the small BD icon on the taskbar go to Antivirus and uncheck the Real time protection.Now try to delete the infected folder again and empty the recycle bin.After this enable the real time protection.Problem solved?

vlad

Please upload the file here in an archive with the password infected and I'll have a look at it.

incussucni

I am working with my roomates pc infected w/ Trojan.Agent.AVQ and Trojan.Agent.AOJ. they seem to create or infect a difent .dll file for every user I have read about reserching fourms. Trojan.Agent.AVQ seems to be an Aliases for Trojan.Click.2330. There is a guy in the uk, bughunter who has more removal info g/ search on the name bughunter

mihai_romanian

If BD detects the trojan it will stop it from infecting other files and if it can't desinfect or move it to quaratine it will continue to stop it from infecting other files although it won't let u to manualy delete it.To do that just try what i'ved said(disable Real time protection delete infected files,empty recycle bin and Enable the real time protection).

AndreiASM

If BD detects the trojan it will stop it from infecting other files and if it can't desinfect or move it to quaratine it will continue to stop it from infecting other files although it won't let u to manualy delete it.To do that just try what i'ved said(disable Real time protection delete infected files,empty recycle bin and Enable the real time protection).

As the name says, the file is a Trojan, this means that it won't infect other files like viruses. It could have different side effects, like (maybe) downloading and executing a Virus, or downloading other malware.

I'm not sure, but I don't think that this program injects code in other applications. Check the memory to see if there are any processes of the trojan and terminate them. After that, you should be able to remove both the registry entry and the file.

mihai_romanian

As i said i'm not a pro but my simple solution should work for deleting the file.

miekiemoes

As i said i'm not a pro but my simple solution should work for deleting the file.

If it's indeed Trojan.Agent.AVQ... then, this won't work. Not only because this file is loaded under explorer.exe and winlogon.exe, (some variants are loaded under svchost.exe as well), but also because a related driver is locking the file. This is a real tough one to delete, because as long as the related driver is present, you won't be able to delete the file (unless you use the recovery console to delete it). The driver loads very early as well (BootBu###tender)

However, when the related driver is gone, the dll will be unlocked - but will still be hard to remove since it's still loaded under explorer and winlogon.exe and watches the pendingfilerenameoperations key (which explains that you cannot delete the file during reboot either).

It's a very stubborn infection to delete unfortunately... unless the right tools are being used... and you know what you are doing.

But in most cases, people prefer the recovery console to get rid of it.

wrath.of.achilles

Hi miekiemoes,

Glad to see an expert posted here.

vladx

Well miekiemoes, i managed to delete this trojan when i was infected with it but indeed it's not easy.